CN111401138A - Countermeasure optimization method for generating countermeasure neural network training process - Google Patents

Countermeasure optimization method for generating countermeasure neural network training process Download PDF

Info

Publication number
CN111401138A
CN111401138A CN202010113638.1A CN202010113638A CN111401138A CN 111401138 A CN111401138 A CN 111401138A CN 202010113638 A CN202010113638 A CN 202010113638A CN 111401138 A CN111401138 A CN 111401138A
Authority
CN
China
Prior art keywords
network
data
generator
training
defense
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010113638.1A
Other languages
Chinese (zh)
Other versions
CN111401138B (en
Inventor
裴颂文
沈天马
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cloud Network Suzhou Intelligent Technology Co ltd
University of Shanghai for Science and Technology
Original Assignee
Cloud Network Suzhou Intelligent Technology Co ltd
University of Shanghai for Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cloud Network Suzhou Intelligent Technology Co ltd, University of Shanghai for Science and Technology filed Critical Cloud Network Suzhou Intelligent Technology Co ltd
Priority to CN202010113638.1A priority Critical patent/CN111401138B/en
Publication of CN111401138A publication Critical patent/CN111401138A/en
Priority to PCT/CN2020/118698 priority patent/WO2021169292A1/en
Priority to US17/288,566 priority patent/US11315343B1/en
Application granted granted Critical
Publication of CN111401138B publication Critical patent/CN111401138B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/10Complex mathematical operations
    • G06F17/11Complex mathematical operations for solving equations, e.g. nonlinear equations, general mathematical optimization problems
    • G06F17/13Differential equations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/047Probabilistic or stochastic networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V10/00Arrangements for image or video recognition or understanding
    • G06V10/70Arrangements for image or video recognition or understanding using pattern recognition or machine learning
    • G06V10/77Processing image or video features in feature spaces; using data integration or data reduction, e.g. principal component analysis [PCA] or independent component analysis [ICA] or self-organising maps [SOM]; Blind source separation
    • G06V10/774Generating sets of training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V20/00Scenes; Scene-specific elements
    • G06V20/50Context or environment of the image
    • G06V20/56Context or environment of the image exterior to a vehicle by using sensors mounted on the vehicle
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02TCLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
    • Y02T10/00Road transport of goods or passengers
    • Y02T10/10Internal combustion engine [ICE] based vehicles
    • Y02T10/40Engine management systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Mathematical Analysis (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Computational Mathematics (AREA)
  • Biomedical Technology (AREA)
  • Molecular Biology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Databases & Information Systems (AREA)
  • Multimedia (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Operations Research (AREA)
  • Algebra (AREA)
  • Medical Informatics (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Image Analysis (AREA)
  • Complex Calculations (AREA)

Abstract

The invention relates to a countermeasure optimization method for generating a countermeasure neural network training process, which comprises the steps of converting an optimal transmission problem into a solution of an elliptic type monomer-Ampere partial differential equation (MAPD) in a generator G, improving Neumann boundary conditions and expanding discretization of the MAPD to obtain optimal mapping between the generator and a discriminator so as to form a countermeasure network MAGAN in order to solve the n (n >3) -dimensional MAPD. In the process of training the defense network, the defense network can obtain the maximum distance between the two measures by overcoming the loss function of the optimal mapping, and a filtered safety sample is obtained. The effective attack method of the GANs is successfully established, and the precision is improved by 5.3%. In addition, the MAGAN can be stably trained without adjusting the hyper-parameters, and the accuracy of the unmanned target classification and identification system is well improved.

Description

Countermeasure optimization method for generating countermeasure neural network training process
Technical Field
The invention relates to an image processing technology, in particular to a confrontation optimization method for generating a confrontation neural network training process.
Background
In recent years, as a core technology of artificial intelligence, deep learning has made a lot of key breakthroughs in the fields of image, voice, natural language processing and the like, and various methods for generating antagonism examples have been proposed to attack deep neural networks. These methods involve either directly computing gradient image pixels or directly solving for optimization of image pixels.
With the continuous development of deep learning, more and more fields adopt deep learning to replace the traditional intelligent algorithm. However, some fields, such as finance, unmanned driving, etc., require high accuracy, low risk, and particularly high safety, especially autonomous driving. The impact of the challenge sample on the network model cannot be ignored. In the deep learning network, the confrontation samples influence the final learning model through slight noise. And the confrontation sample adopted by the attacker cannot be judged by human senses, so that the judgment and the defense can be carried out only through the neural network. A typical scene is a confrontation sample of an image classification model, and by superimposing a variation amount of a precise center structure on a picture, the classification model is made to make a misjudgment under a condition that the change amount is difficult to be perceived by naked eyes.
In principle, the antagonizing sample calculates a variation for the given sample. The deep learning model learns the segmentation plane in the high-dimensional space by training on the sample, and different measurements on the segmentation plane are used as different classification and discrimination results, as shown in fig. 1.
The human perception cannot be identified after one or more small shifts, but the sample can cross the segmentation plane in the deep learning result space, resulting in a change in the determination result of the machine learning model, as shown in fig. 2.
To date, these optimization problems have been solved using three broad approaches:
(1) by using optimizers such as L-BFGS or Adam (Kingma & Ba, 2015) directly, such as szegdy (2013) and Carlini & Wagner (2016), this optimizer-based approach tends to be slower and more powerful than the other approaches.
(2) Approximation by a single step gradient based technique, such as the fast gradient sign (Goodfellow et al, 2014b) or the least probable class (Kurakin et al, 2016 a). These methods are fast and require only a single forward and backward pass through the object classifier to compute the perturbation.
(3) By approximation based on iterative variants of gradient techniques (Kurakin et al, 2016 a; Moosavi Dezfolio et al, 2016 a; b). These methods use multiple forward and backward passes through the target network to more carefully move the input to the challenge classification.
Currently the countersamples are mainly attacked by the gradient and the encoder. Wherein, the attack samples generated by the encoder of the neural network are superior to the gradient attack mode. Particularly after 2017, GAN is becoming the major network generation tool as it is developed against neural networks. Therefore, GAN-based attack sample models gradually appeared in 2018 to 2019, however their model robustness was too poor due to GAN instability. The problem of GAN convergence is solved herein by optimal mapping at two measures based on the theory of optimal transmission.
GAN is a generative model that contains two networks (a generator network and a discriminator network). At a given noise source, the generator network generates synthetic data, while the discriminator network distinguishes the generated data from the real data. However, GAN is affected by training instability, most recent work on GAN training is dedicated to finding stable training methods, and the current common methods rely on heuristic methods which are extremely sensitive to modification, and the new unstable behavior against neural network training is rarely explained from the internal root of the network. This greatly limits the applicability of GAN to image processing applications.
Disclosure of Invention
The invention provides a confrontation optimization method for generating a confrontation neural network training process aiming at the problem that the convergence of the confrontation neural network (GANs) training used for attack and defense is unstable, in a generator G, an optimal transmission problem is converted into the solution of an elliptic type Monge-Ampere partial differential equation (MAPD), in order to solve the n (n >3) dimensional MAPD, Neumann boundary conditions are improved, the discretization of the MAPD is expanded to obtain the optimal mapping between the generator and a discriminator, and the confrontation network MAGAN is formed. In the process of training the defense network, the defense network can obtain the maximum distance between the two measures by overcoming the loss function of the optimal mapping, and a filtered safety sample is obtained. The solution of MAPDE can constitute a new discriminant distribution function, replacing the Wasserstein distance of WGAN.
The technical scheme of the invention is as follows: an antagonistic optimization method for generating an antagonistic neural network training process specifically comprises the following steps:
1) sending the image data training set and random noise into a generator in an anti-neural network, using generated data output by the generator as actual data of an attack sample and the image data to form two data sets X and Y, inputting the two data sets into a discriminator D in the generator, calculating probability densities rho X and rho Y of the probability densities of X, solving the maximum likelihood estimation value of the actual data and the generated data probability densities, calculating the measure of the actual data and the generated data, solving the numerical solution of an elliptic Monge-Ampere partial differential equation to obtain the optimal mapping between the actual data distribution and the generated data distribution, training the generator by calculating a loss function of the generator to form an attack network in the generator, finally obtaining the optimal mapping U between the attack sample and the actual data, and finishing the attack network training;
2) adding the discriminator D trained in the step 1) into a defense network in the antagonistic neural network, sending an image data training set and random noise into a generator in the antagonistic neural network, using output data of the generator as input data of the defense network, training the defense network through a defense network loss function obtained through the solution of Mongolian Ampere's equation and an optimal transmission theory, in the process of training the defense network, overcoming the loss function of optimal mapping, obtaining the maximum distance between two measures by the defense network, and finally obtaining the output value of the defense network through iterative training, thereby obtaining the filtered safety sample.
The loss function of the generator is:
Figure BDA0002390821700000033
wherein X, Y correspond to points within sets X and Y; ex~PxIs the expectation of the true data probability distribution; ey~PyAn expectation of probability distribution for the attack sample data;
Figure BDA0002390821700000031
is the expectation of L icpschiz continuous data DwIs a network of discriminators with weights; d is a discriminator network; g is a generator network; lambda is a penalty coefficient and is a hyper-parameter set by a training network, and E is an expectation;
the loss function of the defense network is:
Figure BDA0002390821700000032
m is the number of discrete points in each dimension of the network.
The method has the advantages that the countermeasure optimization method for the training process of the countermeasure neural network IS generated, the effective attack method of the GANs IS successfully established, and a plurality of calculation operators are provided to prove that the precision IS improved by 5.3%.
Drawings
FIG. 1 is a schematic diagram of a neural network classification and segmentation plane
FIG. 2 is a schematic diagram of a cross-domain segmentation plane of an attack sample;
FIG. 3 is a schematic of the distribution of numerical initial solutions of MAPD;
FIG. 4 is a schematic diagram of a unit-oriented inward normal vector under Neumann boundary conditions of MAPD;
FIG. 5 is a block diagram of the framework of the improved antagonistic neural network of the present invention;
FIG. 6 is a block diagram of the generation of countermeasure samples and defense networks of the present invention;
FIG. 7 is a flow chart of the attack and defense process of the neural network of the unmanned target classification and identification system of the present invention.
Detailed Description
In order to assist and realize the unmanned driving, the neural network realizes an algorithm identification part of the unmanned driving target classification and identification system for image identification and classification. Mainstream image processing and target recognition mainly employ a Convolutional Neural Network (CNN), and there is an under-fit condition in the space of real data and generated data. Therefore, there are studies on algorithms for providing attack and defense to enhance the robustness of the neural network, but the effect on the black box attack and defense is not good.
To solve this problem, a homoeomorphic mapping of a region to itself is sought, satisfying two conditions: keeping the measure and minimizing the transmission cost. Measure of retention for all of the Polel sets
Figure BDA0002390821700000041
(Ω is a finite open set), and the map T maps the probability distribution μ to a probability distribution v, denoted T × μ ═ v. The transmission cost of the optimal transmission map T: omega → omega is defined as:
I[s]=∫Xc(x,s(x))dx (1)
Figure BDA0002390821700000051
wherein I is a mapping cost function; c (x, y) is the distance x maps to y; x, y belong to a point within the set.
In this case, Brenier proves that there is a convex function u:Ω → R (R is the whole set of real numbers) whose gradient maps
Figure BDA0002390821700000052
Is the only optimal transmission map. This convex function is called the Brenier potential energy function (Brenier potential). The Brenier potential obtained by the Jacobian equation meets the Monday-Ampere equation (2), the Jacobian matrix of the gradient mapping is a Hessian matrix of a Brenier potential function,
Figure BDA0002390821700000053
Figure BDA0002390821700000054
wherein D is the partial derivative; det is determinant; rho is a measure; x, Y are the full set of x and y, respectively.
The method of Kantorovich is not a good choice, however, driving up more complex methods to efficiently compute the optimal mapping.
In the optimal transmission problem between convex sets, the transmission condition (BC) is also referred to as a second boundary value problem as a second type of boundary condition. The boundary condition may be mapped into set X by boundary nodes, and into set Y by boundary nodes, in view of the gradient that occurs in the transport boundary condition, it is desirable to find the Neumann boundary condition:
Figure BDA0002390821700000055
Figure BDA0002390821700000056
Figure BDA0002390821700000061
according to the formula (5), a boundary normal vector n is defined, and normal vector components corresponding to n dimensions in the boundary normal vector nAn amount of n1、n2、...、nnWhere the vector n is perpendicular to point X (X belongs to a point in the X set because the X set has a boundary and an unspecified point X on the boundary is also in the X set. therefore equation 5 is a qualified boundary condition, whether a domain or X, where X is simply a point within the qualified.),
Figure BDA0002390821700000062
is the boundary of the set of X, which is the partial derivative with respect to X. Phi is a normal vector calculation function, and is calculated by equation (7). The normal vector component n for each dimension in equation 7 is multiplied by the partial derivative of u under the corresponding dimension, i.e. the difference between the unit step size and the central value of each dimension of the function u is moved forward.
x is n-dimensional, so
Figure BDA0002390821700000063
Lower index n, i1、i2、i3、…、inN in total, representing different dimensions. Because the numerical solution requires discretization, there are m discrete points in each dimension, i.e., i ═ 1,2,3, …, m. The difference is calculated by the five-step method by using front and rear points, namely i +1 and i. Assuming dimension 1, the front and back point index is i1,(i+1)1I.e. by
Figure BDA0002390821700000064
And
Figure BDA0002390821700000065
rule is as follows: and sequentially taking the x subscript in the first item u back to the unit step length i +1 according to the dimensionality.
The Monday-Ampere equation is solved again with this updated boundary condition to obtain a new numerical solution. Wherein u isk+1Is the solution for the k +1 time iteration. Because it is monotonic, this scheme relies only on values within the square. When the dimensionality of the MAPDE is greater than 2, there are many nodes around the boundary that directly affect the value of the solution, as shown in fig. 3. This will take more computation time and therefore should pay more attention to the boundaries and use the upper bounds of these monotonic methods for all acceptable boundsTo ensure that a highly accurate numerical solution is obtained. The monotonicity of the method is preserved. First, a boundary is set on the other side of the square area. Then, at the corners, the derivation directions of the other dimensions are limited in the form of tilt constraints. And the allowed directions are limited to a single quadrant, which ensures that the required information will continue to remain within the square area. Next, a new approximation is obtained in the inward direction. Finally, as shown in fig. 4, the above steps are repeated until a suitable boundary is obtained, which corresponds to considering all the support hyperplanes at these points.
The present invention defines several finite difference operators that are employed to approximate the first and second partial derivatives using the central difference. Standard discretization of this equation by center difference:
Figure BDA0002390821700000071
MA is a discrete solution Monday-Ampere equation (Monge-Ampere PDE); d is partial derivative; f, g are measures. u is a discrete numerical solution to the Monday-Ampere equation.
Wherein the finite difference operator is:
Figure BDA0002390821700000072
Figure BDA0002390821700000073
Figure BDA0002390821700000074
Figure BDA0002390821700000075
will also follow these directions
Figure BDA0002390821700000076
The finite difference operator is further computed:
Figure BDA0002390821700000077
Figure BDA0002390821700000078
Figure BDA0002390821700000079
the result of discretization is a variational form of the MA computation operator, to which an additional term will be added to further penalize the non-convexity:
Figure BDA0002390821700000081
based on newton iterations, the partial derivatives of all nodes need to be calculated. However, when the dimension is larger than 3, it is difficult to obtain all the partial derivatives of high dimension. Although the solution of MAPDE can be discretized by setting step h, the high dimension also makes it difficult for nodes in the mesh to define the context of the node. It can be found that the relative nodes in each dimension are mostly its forward and backward nodes. And the nodes of the central difference in different dimensions are the same node. Therefore, it is proposed to use surrounding gradients instead of global gradients to speed up the high-dimensional convergence.
Iterative expressions of MAPDE under Neumann boundary conditions and initialized expressions at the beginning of solving equations can be obtained:
Figure BDA0002390821700000082
Figure BDA0002390821700000083
the MAPD can be solved to obtain the best mapping u (x) between the actual data distribution and the generated distribution, then the cost function for the OT problem can be obtained as follows, which trains how efficiently the generator generates the real data equation 14 is to solve the maximum likelihood estimate of the real data and the generated data, and the maximum of equation 15 is solved by M L E to determine the distribution of the real data and the generated data.
Figure BDA0002390821700000084
Figure BDA0002390821700000085
The optimal mapping u (x) is obtained by solving the Montanian as shown by the dashed rectangle in FIG. 5.
And sending the image data training set and the random noise into a generator, outputting data by the generator as an attack sample and real image data, and correspondingly obtaining a brand-new discriminator D formed by two data sets X and Y entering a dotted rectangle. The measure of the real data and the measure of the generated data are distinguished by a brand-new discriminator D, and the generator G continuously resists the discriminator D in the training process, so that effective attack is carried out. The optimal mapping u (x) is obtained by solving the Mongolian equation, and the generation of the attack countermeasures sample is realized by the generator G trained in the figure 5. I.e. the generator internally constitutes the attack network. In training the discriminator D shown in fig. 5, the upper bound of the loss function of the generator of equation 16 is solved; on the contrary, in the process of training the generator G shown in fig. 5, the lower bound of the loss function of the generator of formula 16 is obtained, and finally a good countermeasure effect is obtained. The loss function of the Monge-Kantorovich transmission problem replaces the Wasserstein distance of the WGAN as a new divergence.
At the start of training, only the true data of the image data is used to obtain the probability density PX of X. Probability density ρ Y of attack sample Y, to generate distribution PgTrue data distribution PrData is generated because the solution of MAPD results in PgTends to Pr. P may then be used according to Neumann boundary conditionsrAnd PgThe appropriate boundary is calculated by equation (13). Next, a Finite Difference Method (FDM) is used to obtain a system of equations F [ u ]]0 and by newtonThe system of equations is solved iteratively.
Figure BDA0002390821700000091
The method comprises the following implementation steps:
step one, calculating probability density rho X of X and probability density rho Y of Y
Solving the maximum likelihood estimation value of the real data and the generated data;
step three, calculating the measure of the real data and the generated data;
step four, calculating a first type boundary of the MAPD;
step five, calculating the real data distribution PrAnd generating a distribution PgOptimal u (x) in (a);
step six, iteration gradient values;
step seven, calculating a loss function;
and circulating the steps until the cost function is converged.
The network is adopted by the MAGAN to be applied to a countermeasure sample generation network. As shown in fig. 5, the black box attack and the white box attack are more efficiently implemented by the good robustness of the MAGAN, so as to form an attack network. In order to better defend against the attack of the sample, the attack sample generated by the generator G is used to train the defense network, and the solution of the Monday-Ampere equation is used to strengthen the robustness as shown in fig. 6. The discriminator D in fig. 6 corresponds to the structure within the dashed box in fig. 5, which contains the numerical solution of the partial differential equation. When the discriminators are applied to the lower discriminator network of fig. 6 after training, the filtered samples are subjected to training of the defense network. The sample of the generator G is used as input data of the defense network, and the input training data has strong robustness of black box and white box attacks, so that the input data is subjected to logistic regression through a loss function of the defense network to calculate cross entropy, real data and artificial fake data are separated, an isolation effect is achieved, and a good defense effect is achieved.
Wherein the loss function for the generator is:
Figure BDA0002390821700000101
wherein X, Y correspond to points within sets X and Y; ex~PxIs the expectation of the true data probability distribution; ey~PyAn expectation of probability distribution for the attack sample data;
Figure BDA0002390821700000102
is the expectation of L icpschiz continuous data DwIs a network of discriminators with weights; d is a discriminator network; g is a generator network; lambda is a penalty coefficient and is a hyper-parameter set by a training network, and E is an expectation;
the loss function of the defense network is:
Figure BDA0002390821700000111
after the attack network in fig. 5 is trained, the defense network in fig. 6 is implemented by adding a target attack network, as shown in fig. 7. In the right box of fig. 7, by setting the loss function of the generator, the generator G can learn the measure of the attack sample to calculate the optimal mapping U. The generator can then derive attack samples for the target network based on the input data and random noise, thereby making an effective attack. The target network refers to a network needing attack, namely a known network trained by others. In the left box of fig. 7, the output data of the generator G is taken as input data of the defense network,by passingThe right frame trains the defense network according to the solution of the Mongolian Ampere equation and the loss function obtained from the optimal transmission theory, equation 17. Equation 16 is a generator network, and when the defense network trains, the loss function of the generator does not participate in the training. In the course of training the defense network, the defense network can obtain the maximum distance between the two measures by overcoming the loss function of the optimal mapping. Finally, an output value of the defense network can be obtained through iterative training, and the unmanned target classification and recognition system can be well helped to judge the attack sample.

Claims (2)

1. An antagonistic optimization method for generating an antagonistic neural network training process is characterized by comprising the following steps:
1) sending the image data training set and random noise into a generator in an anti-neural network, using generated data output by the generator as actual data of an attack sample and the image data to form two data sets X and Y, inputting the two data sets into a discriminator D in the generator, calculating probability densities rho X and rho Y of the probability densities of X, solving the maximum likelihood estimation value of the actual data and the generated data probability densities, calculating the measure of the actual data and the generated data, solving the numerical solution of an elliptic Monge-Ampere partial differential equation to obtain the optimal mapping between the actual data distribution and the generated data distribution, training the generator by calculating a loss function of the generator to form an attack network in the generator, finally obtaining the optimal mapping U between the attack sample and the actual data, and finishing the attack network training;
2) adding the discriminator D trained in the step 1) into a defense network in the antagonistic neural network, sending an image data training set and random noise into a generator in the antagonistic neural network, using output data of the generator as input data of the defense network, training the defense network through a defense network loss function obtained through the solution of Mongolian Ampere's equation and an optimal transmission theory, in the process of training the defense network, overcoming the loss function of optimal mapping, obtaining the maximum distance between two measures by the defense network, and finally obtaining the output value of the defense network through iterative training, thereby obtaining the filtered safety sample.
2. The method of generating an antagonistic optimization to the neural network training process of claim 1, wherein the loss function of the generator is:
Figure FDA0002390821690000011
wherein X, Y correspond to points within sets X and Y; ex~PxIs the expectation of the true data probability distribution; ey~PyFor attacking samplesA desire for a probability distribution of data;
Figure FDA0002390821690000012
is the expectation of L icpschiz continuous data DwIs a network of discriminators with weights; d is a discriminator network; g is a generator network; lambda is a penalty coefficient and is a hyper-parameter set by a training network, and E is an expectation;
the loss function of the defense network is:
Figure FDA0002390821690000013
m is the number of discrete points in each dimension of the network.
CN202010113638.1A 2020-02-24 2020-02-24 Countermeasure optimization method for generating countermeasure neural network training process Active CN111401138B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN202010113638.1A CN111401138B (en) 2020-02-24 2020-02-24 Countermeasure optimization method for generating countermeasure neural network training process
PCT/CN2020/118698 WO2021169292A1 (en) 2020-02-24 2020-09-29 Adversarial optimization method for training process of generative adversarial neural network
US17/288,566 US11315343B1 (en) 2020-02-24 2020-09-29 Adversarial optimization method for training process of generative adversarial network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010113638.1A CN111401138B (en) 2020-02-24 2020-02-24 Countermeasure optimization method for generating countermeasure neural network training process

Publications (2)

Publication Number Publication Date
CN111401138A true CN111401138A (en) 2020-07-10
CN111401138B CN111401138B (en) 2023-11-07

Family

ID=71430417

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010113638.1A Active CN111401138B (en) 2020-02-24 2020-02-24 Countermeasure optimization method for generating countermeasure neural network training process

Country Status (3)

Country Link
US (1) US11315343B1 (en)
CN (1) CN111401138B (en)
WO (1) WO2021169292A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112801297A (en) * 2021-01-20 2021-05-14 哈尔滨工业大学 Machine learning model adversity sample generation method based on conditional variation self-encoder
CN112989359A (en) * 2021-03-17 2021-06-18 华南理工大学 Backdoor attack method for pedestrian re-identification model based on triple loss
WO2021169292A1 (en) * 2020-02-24 2021-09-02 上海理工大学 Adversarial optimization method for training process of generative adversarial neural network
CN113395653A (en) * 2021-06-08 2021-09-14 南京工业大学 Fingerprint positioning Radio Map expansion method based on DC-CGAN
CN114708974A (en) * 2022-06-06 2022-07-05 首都医科大学附属北京友谊医院 Method for predicting hospitalization duration of new coronary pneumonia patient and related product
CN115064250A (en) * 2022-06-06 2022-09-16 大连理工大学 Method for adjusting distribution of stay in hospital and related product
CN116545767A (en) * 2023-06-27 2023-08-04 北京天云海数技术有限公司 Automatic XSS attack load generation method and system based on generation countermeasure network

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11763135B2 (en) * 2021-03-01 2023-09-19 Robert Bosch Gmbh Concept-based adversarial generation method with steerable and diverse semantics
CN114219778B (en) * 2021-12-07 2024-04-02 北京工业大学 Data depth enhancement method based on WGAN-GP data generation and poisson fusion
CN114154250B (en) * 2021-12-20 2024-06-14 北京航空航天大学 DCCGAN-based hypersonic aircraft flow thermosetting coupling physical field solving method
CN114117333B (en) * 2022-01-20 2022-05-17 南湖实验室 Countermeasure reconstruction network design, training method and detection method for anomaly detection
CN114969785B (en) * 2022-05-27 2024-06-18 哈尔滨工业大学(深圳) Carrier-free image steganography method based on reversible neural network
CN115047721B (en) * 2022-05-31 2024-07-23 广东工业大学 Method for rapidly calculating mask near field by using cyclic coincidence countermeasure network
CN115276766B (en) * 2022-07-19 2024-05-31 西安电子科技大学 Optimization method for auxiliary interference power and trajectory combination of cooperative Unmanned Aerial Vehicle (UAV)
CN115984792B (en) * 2022-09-30 2024-04-30 北京瑞莱智慧科技有限公司 Countermeasure test method, system and storage medium
US11895344B1 (en) 2022-12-09 2024-02-06 International Business Machines Corporation Distribution of media content enhancement with generative adversarial network migration
CN116071797B (en) * 2022-12-29 2023-09-26 北华航天工业学院 Sparse face comparison countermeasure sample generation method based on self-encoder
CN117012204B (en) * 2023-07-25 2024-04-09 贵州师范大学 Defensive method for countermeasure sample of speaker recognition system
CN117669651B (en) * 2024-01-31 2024-05-14 山东省计算中心(国家超级计算济南中心) ARMA model-based method and ARMA model-based system for defending against sample black box attack

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108711138A (en) * 2018-06-06 2018-10-26 北京印刷学院 A kind of gray scale picture colorization method based on generation confrontation network
CN109389166A (en) * 2018-09-29 2019-02-26 聚时科技(上海)有限公司 The depth migration insertion cluster machine learning method saved based on partial structurtes
CN110222628A (en) * 2019-06-03 2019-09-10 电子科技大学 A kind of face restorative procedure based on production confrontation network

Family Cites Families (38)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110059793B (en) 2017-10-26 2024-01-26 辉达公司 Gradual modification of a generative antagonistic neural network
US20190147343A1 (en) 2017-11-15 2019-05-16 International Business Machines Corporation Unsupervised anomaly detection using generative adversarial networks
US11137761B2 (en) * 2017-11-20 2021-10-05 At&T Intellectual Property I, L.P. Object modeling with adversarial learning
US10592779B2 (en) * 2017-12-21 2020-03-17 International Business Machines Corporation Generative adversarial network medical image generation for training of a classifier
CN110945528B (en) * 2018-02-07 2021-04-02 应用材料以色列公司 Method for generating training set for inspecting semiconductor sample and system thereof
US10970765B2 (en) * 2018-02-15 2021-04-06 Adobe Inc. Generating user-customized items using a visually-aware image generation network
US11069030B2 (en) * 2018-03-22 2021-07-20 Adobe, Inc. Aesthetics-guided image enhancement
US10810754B2 (en) * 2018-04-24 2020-10-20 Ford Global Technologies, Llc Simultaneous localization and mapping constraints in generative adversarial networks for monocular depth estimation
GB201809604D0 (en) * 2018-06-12 2018-07-25 Tom Tom Global Content B V Generative adversarial networks for image segmentation
CN109584178A (en) * 2018-11-29 2019-04-05 腾讯科技(深圳)有限公司 Image repair method, device and storage medium
US11087170B2 (en) * 2018-12-03 2021-08-10 Advanced Micro Devices, Inc. Deliberate conditional poison training for generative models
KR20200075344A (en) * 2018-12-18 2020-06-26 삼성전자주식회사 Detector, method of object detection, learning apparatus, and learning method for domain transformation
KR20200093910A (en) * 2019-01-29 2020-08-06 삼성전자주식회사 Method for providing data assocatied with original data, electronic device and storage medium therefor
JP7268367B2 (en) * 2019-01-30 2023-05-08 富士通株式会社 LEARNING DEVICE, LEARNING METHOD AND LEARNING PROGRAM
US11024013B2 (en) * 2019-03-08 2021-06-01 International Business Machines Corporation Neural network based enhancement of intensity images
CN109919251A (en) * 2019-03-21 2019-06-21 腾讯科技(深圳)有限公司 A kind of method and device of object detection method based on image, model training
US11120526B1 (en) * 2019-04-05 2021-09-14 Snap Inc. Deep feature generative adversarial neural networks
KR20200132665A (en) * 2019-05-17 2020-11-25 삼성전자주식회사 Attention layer included generator based prediction image generating apparatus and controlling method thereof
JP7016835B2 (en) * 2019-06-06 2022-02-07 キヤノン株式会社 Image processing method, image processing device, image processing system, learned weight manufacturing method, and program
KR20200142374A (en) * 2019-06-12 2020-12-22 삼성전자주식회사 Method for selecting artificial intelligience model based on input data and disaply apparatus for performing the same method thereof
US11068753B2 (en) * 2019-06-13 2021-07-20 Visa International Service Association Method, system, and computer program product for generating new items compatible with given items
US11373093B2 (en) * 2019-06-26 2022-06-28 International Business Machines Corporation Detecting and purifying adversarial inputs in deep learning computing systems
US10496809B1 (en) * 2019-07-09 2019-12-03 Capital One Services, Llc Generating a challenge-response for authentication using relations among objects
WO2021025217A1 (en) * 2019-08-08 2021-02-11 엘지전자 주식회사 Artificial intelligence server
US20210049452A1 (en) * 2019-08-15 2021-02-18 Intuit Inc. Convolutional recurrent generative adversarial network for anomaly detection
EP3798917A1 (en) * 2019-09-24 2021-03-31 Naver Corporation Generative adversarial network (gan) for generating images
KR20190119548A (en) * 2019-10-02 2019-10-22 엘지전자 주식회사 Method and apparatus for processing image noise
US11232328B2 (en) * 2020-01-31 2022-01-25 Element Ai Inc. Method of and system for joint data augmentation and classification learning
CN111401138B (en) 2020-02-24 2023-11-07 上海理工大学 Countermeasure optimization method for generating countermeasure neural network training process
US11961219B2 (en) * 2020-02-27 2024-04-16 KLA Corp. Generative adversarial networks (GANs) for simulating specimen images
KR20210136706A (en) * 2020-05-08 2021-11-17 삼성전자주식회사 Electronic apparatus and method for controlling thereof
US11651292B2 (en) * 2020-06-03 2023-05-16 Huawei Technologies Co., Ltd. Methods and apparatuses for defense against adversarial attacks on federated learning systems
US20210383241A1 (en) * 2020-06-05 2021-12-09 Nvidia Corporation Training neural networks with limited data using invertible augmentation operators
US20210397198A1 (en) * 2020-06-18 2021-12-23 Ford Global Technologies, Llc Enhanced vehicle operation
JP7419178B2 (en) * 2020-07-01 2024-01-22 株式会社東芝 Learning devices, methods and programs
US20220027490A1 (en) * 2020-07-24 2022-01-27 Siemens Aktiengesellschaft Gan-based data obfuscation decider
US20220036564A1 (en) * 2020-08-03 2022-02-03 Korea Advanced Institute Of Science And Technology Method of classifying lesion of chest x-ray radiograph based on data normalization and local patch and apparatus thereof
US11328410B2 (en) * 2020-08-03 2022-05-10 KLA Corp. Deep generative models for optical or other mode selection

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108711138A (en) * 2018-06-06 2018-10-26 北京印刷学院 A kind of gray scale picture colorization method based on generation confrontation network
CN109389166A (en) * 2018-09-29 2019-02-26 聚时科技(上海)有限公司 The depth migration insertion cluster machine learning method saved based on partial structurtes
CN110222628A (en) * 2019-06-03 2019-09-10 电子科技大学 A kind of face restorative procedure based on production confrontation network

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
QUANCHUN JIANG等: "Weakly-Supervised Image Semantic Segmentation Based on Superpixel Region Merging", 《BIG DATA COGN. COMPUT》, pages 1 - 20 *
马丽涛等: "最优传输理论及其在图像处理中的应用", 运筹学学报, pages 109 - 125 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021169292A1 (en) * 2020-02-24 2021-09-02 上海理工大学 Adversarial optimization method for training process of generative adversarial neural network
US11315343B1 (en) 2020-02-24 2022-04-26 University Of Shanghai For Science And Technology Adversarial optimization method for training process of generative adversarial network
CN112801297A (en) * 2021-01-20 2021-05-14 哈尔滨工业大学 Machine learning model adversity sample generation method based on conditional variation self-encoder
CN112801297B (en) * 2021-01-20 2021-11-16 哈尔滨工业大学 Machine learning model adversity sample generation method based on conditional variation self-encoder
CN112989359A (en) * 2021-03-17 2021-06-18 华南理工大学 Backdoor attack method for pedestrian re-identification model based on triple loss
CN113395653A (en) * 2021-06-08 2021-09-14 南京工业大学 Fingerprint positioning Radio Map expansion method based on DC-CGAN
CN114708974A (en) * 2022-06-06 2022-07-05 首都医科大学附属北京友谊医院 Method for predicting hospitalization duration of new coronary pneumonia patient and related product
CN115064250A (en) * 2022-06-06 2022-09-16 大连理工大学 Method for adjusting distribution of stay in hospital and related product
CN116545767A (en) * 2023-06-27 2023-08-04 北京天云海数技术有限公司 Automatic XSS attack load generation method and system based on generation countermeasure network
CN116545767B (en) * 2023-06-27 2024-01-09 北京天云海数技术有限公司 Automatic XSS attack load generation method and system based on generation countermeasure network

Also Published As

Publication number Publication date
US20220122348A1 (en) 2022-04-21
US11315343B1 (en) 2022-04-26
CN111401138B (en) 2023-11-07
WO2021169292A1 (en) 2021-09-02

Similar Documents

Publication Publication Date Title
CN111401138A (en) Countermeasure optimization method for generating countermeasure neural network training process
Grathwohl et al. Ffjord: Free-form continuous dynamics for scalable reversible generative models
CN111275115B (en) Method for generating counterattack sample based on generation counternetwork
Grathwohl et al. Scalable reversible generative models with free-form continuous dynamics
CN109639710B (en) Network attack defense method based on countermeasure training
WO2021243787A1 (en) Intra-class discriminator-based method for weakly supervised image semantic segmentation, system, and apparatus
CN109165735B (en) Method for generating sample picture based on generation of confrontation network and adaptive proportion
CN110276377A (en) A kind of confrontation sample generating method based on Bayes's optimization
CN110866287B (en) Point attack method for generating countercheck sample based on weight spectrum
CN113496247B (en) Estimating implicit likelihood of generating an countermeasure network
CN111783551B (en) Countermeasure sample defense method based on Bayesian convolutional neural network
CN110119768B (en) Visual information fusion system and method for vehicle positioning
CN110826500B (en) Method for estimating 3D human body posture based on antagonistic network of motion link space
Suzuki et al. Adversarial example generation using evolutionary multi-objective optimization
CN113033822A (en) Antagonistic attack and defense method and system based on prediction correction and random step length optimization
CN108629809A (en) A kind of accurate efficient solid matching method
CN111553296B (en) Two-value neural network stereo vision matching method based on FPGA
CN113806559B (en) Knowledge graph embedding method based on relationship path and double-layer attention
CN113935496A (en) Robustness improvement defense method for integrated model
CN111950635A (en) Robust feature learning method based on hierarchical feature alignment
CN111353525A (en) Modeling and missing value filling method for unbalanced incomplete data set
CN111260706A (en) Dense depth map calculation method based on monocular camera
CN115510986A (en) Countermeasure sample generation method based on AdvGAN
WO2022236647A1 (en) Methods, devices, and computer readable media for training a keypoint estimation network using cgan-based data augmentation
Zhao et al. No-reference stereoscopic image quality assessment based on dilation convolution

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant